Hyperbola as projects follows the approach to provide a long-term oriented support and therefore combined also updates with focus on security, privacy and also free, permissive licensing only. While our major focus lies only on community-oriented software we also do not follow to include always the newest versions of those projects.
With this article we explain our perspectives on upgrades and the approach we are following for Hyperbola GNU/Linux-libre and also HyperbolaBSD as BSD-descendant operating-system.
Hyperbola was and is never intended to be a most complex system. More the opposite we want to provide a system oriented on minimalism, privacy and security. But what do those wordings mean exactly? For reference we link first also our three points for a stable system. So those points brought upon our packaging results into clear and clean builds and packaged software with as much dependencies removed and / or reduced as even possible.
Our point here is: Having simple answers for a complex world is never working! Providing a growing number of packages is only working with a growing number of persons in maintaining those. The more packages and components a system is using the more possible attack-vectors are available and the sooner actors with whatever possible reasoning will use those.
The better we are able to reduce and optimize our packaged software, the more understanding, support and enhancments can be possible. This also results within packages looking alike quite old, but being under active maintenance from our side to work further with them. Our goal is never to offer more and more software, but to provide the most optimized packages with minimalism back in mind so our essential goal with technical emancipation can be realized. Users should be always enabled to understand all parts of the system and therefore in full control of every aspect.
XZ Utils,, and its underlying library liblzma, are in summary free, libre projects that implement the lzma compression and decompression. They are included in many systems out of the box, are very popular with developers, and are used extensively therefore.
Almost two years ago, a person under the name of Jia Tan joined the project and started opening requests for various fixes or improvements within the projects. In general nothing is out of the ordinary as this is how things work on the basics of free and libre software. But after building trust and credibility the person Jia Tan began to receive permissions for the code-repository - first, commit permissions and afterwards also rights for release-management.
It seems that as part of the effort to gain these permissions, Jia Tan used an interesting form of social engineering: From the current perspective and status of the on-going analysis that person or even more actors used fake accounts to send myriad feature requests and complaints about problems to pressure the original maintainer, eventually causing the need to add another maintainer to the repository.
After contributing to the code for approximately two years, in 2023 Jia Tan introduced a few changes to XZ that were included as part of release 5.6.0 and also 5.6.1. Among these changes was a sophisticated backdoor to get full control over running SSH daemons. As the before mentioned actors also reported further towards different systems to enforce them to do upgrades for the released versions including the backdoor, more known good intended mechanisms were used damaging the essential trust.
As Hyperbola is not following those approaches and also rejects most time to do newest upgrades there was no risk at that point but nevertheless the dangers within those described approaches show how much pressure is upon free, libre software in the current times. Besides the most important part of free software was now attacked, the level of trust within people using their own time to develop software with good intentions, this also shows how much political this attack is.
We have mentioned before that we follow the approach to optimize our packages with every new released version and this includes also our implemented compilers and environments for programming. For HyperbolaBSD we surely want to use newer standards alike C17 (gnu17).
The reasoning is the same as mentioned before: Minimalism but also the focus on clear and clean code. When a software is running likewise fine with the used environment, foremost free from errors, it is also quite more easy to focus on later updates, including enumerating and evaluating possible problems. Following only the paradigm to “upgrade fast and without compromises” this ends always in unseen spots, which later surely get hold in severe errors and bugs.
Our pre-alpha nevertheless will follow first the approach to use GCC-4 with C99 as base. Therefore you can also see the progression within as said the following up development for further releases will conclude as said in usage of GCC-8 and the migration of the working code-base established throughout C99 first.
Withing this article we have explained more in detail why Hyperbola as system-project do not want to follow the principle for inclusion “always the newest releases”. Besides this is also no promise for more security (Example #1) we can also conclude that this would risk the stability of our system and further development: Knowing the dependencies, understanding the system and working out a good, secure development. The lesser, the better and cleaner!
We have no interest to provide the newest releases of software-projects as we have our own vision how the system should work for the users. And providing always the newest versions can be also not the best ideas when it comes to stability and security. Yes, this maybe not the most convinient perspective especially towards webbrowsers. But please have in mind that first and foremost free, libre software is executed local on the computer and not in some webbrowser. If this is your idea doing so, Hyperbola is not the system to be installed for your usecases.